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: A compiler for parallelizing IP-packet filter rules is presented 
which will improve network security and reduce packet -forwarding 
performance degradation. It analyzes the interdependence of 
packet -filtering rules specified by a network administrator and 
translates them into an intermediate program whose instructions can 
be executed in parallel. Three types of compiler operations are 
introduced: division is used to divide the rules into parallel 
expressions, simplification is used to simplify redundant rules, 
deletion is used to delete infeasible rules. (9 Ref.) 
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AB : Internet firewalls control the data traffic in and out of an 

enterprise network by checking network packets against a set of rules 
that embodies an organization's security policy. Because rule 
checking is computationally more expensive than routing-table 
look-up, it could become a potential bottleneck for scaling up the 
performance of IP routers, which typically implement firewall 
functions in software. In this paper, we analyzed the performance 
problems associated with firewalls, particularly packet filters, 
propose a good connection cache to amortize the costly security check 
over the packets in a connection, and report the preliminary 
performance results of a trace-driven simulation that shows the 
average packet check time can be reduced by a factor of 2.5 at the 
least. (4 Ref.) 
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AB : Network firewalls and routers use a rule database to decide which 

packets will be allowed from one network on to another. By filtering 
packets, the firewalls and routers can improve security and 
performance. However, as the size of the rule list increases, it 
becomes difficult to maintain and validate the rules, and lookup 
latency may increase significantly. Both these factors tend to limit 
the ability of firewall systems to protect networks. This paper 
presents a new technique for representing rule databases. This 
representation (based on ordered binary decision diagrams) can be 
used in two ways: faster lookup algorithms can allow larger rule sets 
to be used without sacrificing performance; and algorithms for 
validating rule sets and changes to rule sets can be used. The 
overall dependability of the system is improved by allowing larger 
and more sophisticated rules sets, and by having greater confidence 
in the rule sets 1 correctness. (11 Ref.) 
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AB : The ability to classify packets according to pre-defined rules is 

critical to providing many sophisticated value-added services, such 
as security, QoS, load balancing, traffic accounting, etc. Various 
approaches to packet classification have been studied in the 
literature with accompanying theoretical bounds. Practical studies 
with results applying to large number of filters (from 8K to 1 
million) are rare. In this paper, we take a practical approach to the 
problem of packet classification. Specifically, we propose and study 
a novel approach to packet classification which combines a heuristic 
tree search with the use of filter buckets. Besides high performance 
and a reasonable storage requirement, our algorithm is unique in the 
sense that it can adapt to the input packet distribution by taking 
into account the relative filter usage. To evaluate our algorithms, 
we have developed realistic models of large scale filter tables, and 
used them to drive extensive experimentation. The results demonstrate 
the practicality of our algorithms for up to even 1 million filters. 
(9 Ref . ) 
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AB : Packet filters are rules for classifying packets based on their 
header fields. Packet classification is essential to routers 
supporting services such as quality of service (QoS) , virtual private 
networks (VPNs), and firewalls. A filter conflict occurs when two or 
more filters overlap, creating an ambiguity in packet classification. 
Current techniques for resolving filter conflicts are based on 
prioritizing conflicting filters, and choosing the higher priority 
filter. We show that such ordering does not always work. Instead, we 
propose a new scheme for conflict resolution, which is based on the 
idea of adding resolve filters. Our main results are algorithms for 
detecting and resolving conflicts in a filter database. We have tried 
our algorithm on 3 existing firewall databases, and have found 
conflicts, which are potential security holes, in each of them. (13 
Ref . ) 
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AB : A compiler for parallelizing IP-packet filter rules is presented 
which will improve network security and reduce packet -forwarding 
performance degradation. It analyzes the interdependence of 
packet-filtering rules specified by a network administrator and 
translates them into an intermediate program whose instructions can 
be executed in parallel. Three types of compiler operations are 
introduced: division is used to divide the rules into parallel 
expressions, simplification is used to simplify redundant rules, 
deletion is used to delete infeasible rules. (9 Ref . ) 
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